{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1087.001 - Account Discovery: Local Account",
    "\n",
    "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\n\nCommands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Enumerate all accounts (Local)\nEnumerate all accounts by copying /etc/passwd to another file\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `sh`\n```sh\ncat /etc/passwd > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1087.001 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - View sudoers access\n(requires root)\n\n**Supported Platforms:** linux, macos\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `sh`\n```sh\nsudo cat /etc/sudoers > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1087.001 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - View accounts with UID 0\nView accounts with UID 0\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `sh`\n```sh\ngrep 'x:0:' /etc/passwd > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt 2>/dev/null\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1087.001 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - List opened files by user\nList opened files by user\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `sh`\n```sh\nusername=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1087.001 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #5 - Show if a user account has ever logged in remotely\nShow if a user account has ever logged in remotely\n\n**Supported Platforms:** linux\n#### Dependencies:  Run with `sh`!\n##### Description: Check if lastlog command exists on the machine\n\n##### Check Prereq Commands:\n```sh\nif [ -x \"$(command -v lastlog)\" ]; then exit 0; else exit 1;\n\n```\n##### Get Prereq Commands:\n```sh\necho \"Install lastlog on the machine to run the test.\"; exit 1;\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1087.001 -TestNumbers 5 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `sh`\n```sh\nlastlog > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1087.001 -TestNumbers 5"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #6 - Enumerate users and groups\nUtilize groups and id to enumerate users and groups\n\n**Supported Platforms:** linux, macos\n#### Attack Commands: Run with `sh`\n```sh\ngroups\nid\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1087.001 -TestNumbers 6"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #7 - Enumerate users and groups\nUtilize local utilities to enumerate users and groups\n\n**Supported Platforms:** macos\n#### Attack Commands: Run with `sh`\n```sh\ndscl . list /Groups\ndscl . list /Users\ndscl . list /Users | grep -v '_'\ndscacheutil -q group\ndscacheutil -q user\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1087.001 -TestNumbers 7"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #8 - Enumerate all accounts on Windows (Local)\nEnumerate all accounts\nUpon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nnet user\ndir c:\\Users\\\ncmdkey.exe /list\nnet localgroup \"Users\"\nnet localgroup\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1087.001 -TestNumbers 8"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #9 - Enumerate all accounts via PowerShell (Local)\nEnumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\nnet user\nget-localuser\nget-localgroupmember -group Users\ncmdkey.exe /list\nls C:/Users\nget-childitem C:\\Users\\\ndir C:\\Users\\\nget-localgroup\nnet localgroup\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1087.001 -TestNumbers 9"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #10 - Enumerate logged on users via CMD (Local)\nEnumerate logged on users. Upon exeuction, logged on users will be displayed.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nquery user\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1087.001 -TestNumbers 10"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #11 - Enumerate logged on users via PowerShell\nEnumerate logged on users via PowerShell. Upon exeuction, logged on users will be displayed.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\nquery user\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1087.001 -TestNumbers 11"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}